Giorgio Biondi
2018-11-01 09:22:53 UTC
Hi at all,
it seems that "repeat offenders" do not work, at least in server-agent
configuration. I have an ossec server with 10 agents. Below is an excerpt
of the configuration ossec.conf on the server - I repeated attacks by an ip
(it is not what you see obviously I put a ip intentionally non-existent)
and the ossec agent continues to cancel the defense every 10 minutes as if
it were not configured the "repeat offenders" .. where am I wrong?
extract from my ossec.conf
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>all</location>
<level>6</level>
<timeout>600</timeout>
<repeated_offenders>60,120,480</repeated_offenders>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>all</location>
<level>6</level>
<timeout>600</timeout>
<repeated_offenders>60,120,480</repeated_offenders>
</active-response>
mer 31 ott 2018, 09.21.02, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540974061.2371341 5503
mer 31 ott 2018, 09.21.02, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540974061.2371341 5503
mer 31 ott 2018, 09.31.08, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540974061.2371341 5503
mer 31 ott 2018, 09.31.08, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540974061.2371341 5503
mer 31 ott 2018, 09.31.18, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540974678.2565115 3332
mer 31 ott 2018, 09.31.18, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540974678.2565115 3332
mer 31 ott 2018, 09.41.36, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540974678.2565115 3332
mer 31 ott 2018, 09.41.37, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540974678.2565115 3332
mer 31 ott 2018, 09.42.01, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540975321.2759002 5503
mer 31 ott 2018, 09.42.01, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540975321.2759002 5503
mer 31 ott 2018, 09.52.19, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540975321.2759002 5503
mer 31 ott 2018, 09.52.19, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540975321.2759002 5503
mer 31 ott 2018, 09.52.41, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540975961.2951572 3332
mer 31 ott 2018, 09.52.41, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540975961.2951572 3332
mer 31 ott 2018, 10.03.15, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540975961.2951572 3332
mer 31 ott 2018, 10.03.15, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540975961.2951572 3332
mer 31 ott 2018, 10.03.31, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540976611.3162262 5503
mer 31 ott 2018, 10.03.31, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540976611.3162262 5503
mer 31 ott 2018, 10.14.17, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540976611.3162262 5503
mer 31 ott 2018, 10.14.17, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540976611.3162262 5503
mer 31 ott 2018, 10.14.28, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540977268.3379208 5503
mer 31 ott 2018, 10.14.28, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540977268.3379208 5503
mer 31 ott 2018, 10.25.42, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540977268.3379208 5503
mer 31 ott 2018, 10.25.42, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540977268.3379208 5503
mer 31 ott 2018, 10.25.54, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540977954.3602834 3332
mer 31 ott 2018, 10.25.54, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540977954.3602834 3332
mer 31 ott 2018, 10.36.09, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540977954.3602834 3332
mer 31 ott 2018, 10.36.09, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540977954.3602834 3332
mer 31 ott 2018, 10.36.25, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540978585.3812477 3332
mer 31 ott 2018, 10.36.25, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540978585.3812477 3332
mer 31 ott 2018, 10.47.32, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540978585.3812477 3332
mer 31 ott 2018, 10.47.32, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540978585.3812477 3332
mer 31 ott 2018, 10.47.52, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540979272.4060742 3332
mer 31 ott 2018, 10.47.52, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540979272.4060742 3332
mer 31 ott 2018, 10.58.05, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540979272.4060742 3332
mer 31 ott 2018, 10.58.05, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540979272.4060742 3332
mer 31 ott 2018, 10.58.22, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540979902.4289470 3332
mer 31 ott 2018, 10.58.22, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540979902.4289470 3332
mer 31 ott 2018, 11.08.26, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540979902.4289470 3332
mer 31 ott 2018, 11.08.26, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540979902.4289470 3332
mer 31 ott 2018, 11.08.44, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540980524.4502880 5503
mer 31 ott 2018, 11.08.44, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540980524.4502880 5503
mer 31 ott 2018, 11.19.28, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540980524.4502880 5503
mer 31 ott 2018, 11.19.28, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540980524.4502880 5503
mer 31 ott 2018, 11.19.44, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540981184.4725378 5503
mer 31 ott 2018, 11.19.44, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540981184.4725378 5503
mer 31 ott 2018, 11.30.08, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540981184.4725378 5503
mer 31 ott 2018, 11.30.08, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540981184.4725378 5503
mer 31 ott 2018, 11.30.25, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540981825.4927795 3332
mer 31 ott 2018, 11.30.25, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540981825.4927795 3332
mer 31 ott 2018, 11.40.30, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540981825.4927795 3332
mer 31 ott 2018, 11.40.30, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540981825.4927795 3332
mer 31 ott 2018, 11.40.55, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540982455.5164767 3332
mer 31 ott 2018, 11.40.55, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540982455.5164767 3332
mer 31 ott 2018, 11.52.09, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540982455.5164767 3332
mer 31 ott 2018, 11.52.09, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540982455.5164767 3332
mer 31 ott 2018, 11.52.29, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540983149.5417484 5503
mer 31 ott 2018, 11.52.29, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540983149.5417484 5503
mer 31 ott 2018, 12.02.58, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540983149.5417484 5503
mer 31 ott 2018, 12.02.58, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540983149.5417484 5503
mer 31 ott 2018, 12.03.23, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540983803.5649403 5503
mer 31 ott 2018, 12.03.23, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540983803.5649403 5503
mer 31 ott 2018, 12.13.32, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540983803.5649403 5503
mer 31 ott 2018, 12.13.32, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540983803.5649403 5503
mer 31 ott 2018, 12.13.46, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540984426.5891079 3332
mer 31 ott 2018, 12.13.46, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540984426.5891079 3332
mer 31 ott 2018, 12.24.37, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540984426.5891079 3332
mer 31 ott 2018, 12.24.37, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540984426.5891079 3332
mer 31 ott 2018, 12.24.53, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540985093.6128510 5503
mer 31 ott 2018, 12.24.53, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540985093.6128510 5503
mer 31 ott 2018, 12.35.22, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540985093.6128510 5503
mer 31 ott 2018, 12.35.22, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540985093.6128510 5503
mer 31 ott 2018, 12.35.50, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540985750.6360742 5503
mer 31 ott 2018, 12.35.50, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540985750.6360742 5503
mer 31 ott 2018, 12.45.55, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540985750.6360742 5503
mer 31 ott 2018, 12.45.55, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540985750.6360742 5503
mer 31 ott 2018, 12.46.03, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540986363.6570067 3332
mer 31 ott 2018, 12.46.03, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540986363.6570067 3332
mer 31 ott 2018, 12.56.25, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540986363.6570067 3332
mer 31 ott 2018, 12.56.25, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540986363.6570067 3332
mer 31 ott 2018, 12.56.49, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540987009.6790531 5503
mer 31 ott 2018, 12.56.49, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540987009.6790531 5503
mer 31 ott 2018, 13.05.27, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540987009.6790531 5503
mer 31 ott 2018, 13.05.27, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540987009.6790531 5503
mer 31 ott 2018, 13.05.52, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540987552.6938842 3332
mer 31 ott 2018, 13.05.52, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540987552.6938842 3332
mer 31 ott 2018, 13.19.05, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540987552.6938842 3332
mer 31 ott 2018, 13.19.05, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540987552.6938842 3332
mer 31 ott 2018, 13.19.19, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540988359.7189435 3332
mer 31 ott 2018, 13.19.19, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540988359.7189435 3332
mer 31 ott 2018, 13.25.03, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540988359.7189435 3332
mer 31 ott 2018, 13.25.03, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540988359.7189435 3332
mer 31 ott 2018, 13.25.20, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540988720.7282686 3332
mer 31 ott 2018, 13.25.20, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540988720.7282686 3332
mer 31 ott 2018, 13.35.58, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540988720.7282686 3332
mer 31 ott 2018, 13.35.58, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540988720.7282686 3332
mer 31 ott 2018, 13.36.08, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540989368.7420899 5503
mer 31 ott 2018, 13.36.08, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540989368.7420899 5503
mer 31 ott 2018, 13.47.18, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540989368.7420899 5503
mer 31 ott 2018, 13.47.18, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540989368.7420899 5503
mer 31 ott 2018, 13.55.14, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540990514.7714017 3332
mer 31 ott 2018, 13.55.14, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540990514.7714017 3332
mer 31 ott 2018, 14.05.18, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540990514.7714017 3332
mer 31 ott 2018, 14.05.18, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540990514.7714017 3332
mer 31 ott 2018, 14.05.38, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540991138.7832686 5503
mer 31 ott 2018, 14.05.38, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540991138.7832686 5503
mer 31 ott 2018, 14.16.23, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540991138.7832686 5503
mer 31 ott 2018, 14.16.23, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540991138.7832686 5503
mer 31 ott 2018, 14.16.57, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540991817.7983932 5503
mer 31 ott 2018, 14.16.57, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540991817.7983932 5503
mer 31 ott 2018, 14.27.17, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540991817.7983932 5503
mer 31 ott 2018, 14.27.17, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540991817.7983932 5503
mer 31 ott 2018, 14.27.31, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540992451.8107356 5503
mer 31 ott 2018, 14.27.31, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540992451.8107356 5503
mer 31 ott 2018, 14.37.45, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540992451.8107356 5503
mer 31 ott 2018, 14.37.45, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540992451.8107356 5503
mer 31 ott 2018, 14.37.59, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540993080.8239796 3332
mer 31 ott 2018, 14.37.59, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540993080.8239796 3332
mer 31 ott 2018, 14.48.08, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540993080.8239796 3332
mer 31 ott 2018, 14.48.08, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540993080.8239796 3332
mer 31 ott 2018, 14.48.19, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540993699.8369020 5503
mer 31 ott 2018, 14.48.19, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540993699.8369020 5503
mer 31 ott 2018, 14.58.45, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540993699.8369020 5503
mer 31 ott 2018, 14.58.45, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540993699.8369020 5503
mer 31 ott 2018, 14.59.10, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540994350.8511168 5503
mer 31 ott 2018, 14.59.10, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540994350.8511168 5503
mer 31 ott 2018, 15.09.28, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540994350.8511168 5503
mer 31 ott 2018, 15.09.28, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540994350.8511168 5503
mer 31 ott 2018, 15.09.38, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540994978.8654896 5503
mer 31 ott 2018, 15.09.38, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540994978.8654896 5503
mer 31 ott 2018, 15.19.45, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540994978.8654896 5503
mer 31 ott 2018, 15.19.45, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540994978.8654896 5503
mer 31 ott 2018, 15.20.07, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540995607.8791144 5503
mer 31 ott 2018, 15.20.07, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540995607.8791144 5503
mer 31 ott 2018, 15.30.18, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540995607.8791144 5503
mer 31 ott 2018, 15.30.18, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540995607.8791144 5503
mer 31 ott 2018, 15.30.28, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540996228.8928132 5503
mer 31 ott 2018, 15.30.28, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540996228.8928132 5503
mer 31 ott 2018, 15.40.43, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540996228.8928132 5503
mer 31 ott 2018, 15.40.43, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540996228.8928132 5503
mer 31 ott 2018, 15.40.55, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540996855.9104838 5503
mer 31 ott 2018, 15.40.55, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540996855.9104838 5503
mer 31 ott 2018, 15.52.02, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540996855.9104838 5503
mer 31 ott 2018, 15.52.02, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540996855.9104838 5503
it seems that "repeat offenders" do not work, at least in server-agent
configuration. I have an ossec server with 10 agents. Below is an excerpt
of the configuration ossec.conf on the server - I repeated attacks by an ip
(it is not what you see obviously I put a ip intentionally non-existent)
and the ossec agent continues to cancel the defense every 10 minutes as if
it were not configured the "repeat offenders" .. where am I wrong?
extract from my ossec.conf
<!-- Active Response Config -->
<active-response>
<!-- This response is going to execute the host-deny
- command for every event that fires a rule with
- level (severity) >= 6.
- The IP is going to be blocked for 600 seconds.
-->
<command>host-deny</command>
<location>all</location>
<level>6</level>
<timeout>600</timeout>
<repeated_offenders>60,120,480</repeated_offenders>
</active-response>
<active-response>
<!-- Firewall Drop response. Block the IP for
- 600 seconds on the firewall (iptables,
- ipfilter, etc).
-->
<command>firewall-drop</command>
<location>all</location>
<level>6</level>
<timeout>600</timeout>
<repeated_offenders>60,120,480</repeated_offenders>
</active-response>
mer 31 ott 2018, 09.21.02, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540974061.2371341 5503
mer 31 ott 2018, 09.21.02, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540974061.2371341 5503
mer 31 ott 2018, 09.31.08, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540974061.2371341 5503
mer 31 ott 2018, 09.31.08, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540974061.2371341 5503
mer 31 ott 2018, 09.31.18, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540974678.2565115 3332
mer 31 ott 2018, 09.31.18, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540974678.2565115 3332
mer 31 ott 2018, 09.41.36, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540974678.2565115 3332
mer 31 ott 2018, 09.41.37, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540974678.2565115 3332
mer 31 ott 2018, 09.42.01, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540975321.2759002 5503
mer 31 ott 2018, 09.42.01, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540975321.2759002 5503
mer 31 ott 2018, 09.52.19, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540975321.2759002 5503
mer 31 ott 2018, 09.52.19, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540975321.2759002 5503
mer 31 ott 2018, 09.52.41, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540975961.2951572 3332
mer 31 ott 2018, 09.52.41, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540975961.2951572 3332
mer 31 ott 2018, 10.03.15, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540975961.2951572 3332
mer 31 ott 2018, 10.03.15, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540975961.2951572 3332
mer 31 ott 2018, 10.03.31, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540976611.3162262 5503
mer 31 ott 2018, 10.03.31, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540976611.3162262 5503
mer 31 ott 2018, 10.14.17, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540976611.3162262 5503
mer 31 ott 2018, 10.14.17, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540976611.3162262 5503
mer 31 ott 2018, 10.14.28, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540977268.3379208 5503
mer 31 ott 2018, 10.14.28, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540977268.3379208 5503
mer 31 ott 2018, 10.25.42, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540977268.3379208 5503
mer 31 ott 2018, 10.25.42, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540977268.3379208 5503
mer 31 ott 2018, 10.25.54, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540977954.3602834 3332
mer 31 ott 2018, 10.25.54, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540977954.3602834 3332
mer 31 ott 2018, 10.36.09, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540977954.3602834 3332
mer 31 ott 2018, 10.36.09, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540977954.3602834 3332
mer 31 ott 2018, 10.36.25, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540978585.3812477 3332
mer 31 ott 2018, 10.36.25, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540978585.3812477 3332
mer 31 ott 2018, 10.47.32, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540978585.3812477 3332
mer 31 ott 2018, 10.47.32, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540978585.3812477 3332
mer 31 ott 2018, 10.47.52, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540979272.4060742 3332
mer 31 ott 2018, 10.47.52, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540979272.4060742 3332
mer 31 ott 2018, 10.58.05, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540979272.4060742 3332
mer 31 ott 2018, 10.58.05, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540979272.4060742 3332
mer 31 ott 2018, 10.58.22, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540979902.4289470 3332
mer 31 ott 2018, 10.58.22, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540979902.4289470 3332
mer 31 ott 2018, 11.08.26, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540979902.4289470 3332
mer 31 ott 2018, 11.08.26, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540979902.4289470 3332
mer 31 ott 2018, 11.08.44, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540980524.4502880 5503
mer 31 ott 2018, 11.08.44, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540980524.4502880 5503
mer 31 ott 2018, 11.19.28, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540980524.4502880 5503
mer 31 ott 2018, 11.19.28, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540980524.4502880 5503
mer 31 ott 2018, 11.19.44, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540981184.4725378 5503
mer 31 ott 2018, 11.19.44, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540981184.4725378 5503
mer 31 ott 2018, 11.30.08, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540981184.4725378 5503
mer 31 ott 2018, 11.30.08, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540981184.4725378 5503
mer 31 ott 2018, 11.30.25, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540981825.4927795 3332
mer 31 ott 2018, 11.30.25, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540981825.4927795 3332
mer 31 ott 2018, 11.40.30, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540981825.4927795 3332
mer 31 ott 2018, 11.40.30, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540981825.4927795 3332
mer 31 ott 2018, 11.40.55, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540982455.5164767 3332
mer 31 ott 2018, 11.40.55, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540982455.5164767 3332
mer 31 ott 2018, 11.52.09, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540982455.5164767 3332
mer 31 ott 2018, 11.52.09, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540982455.5164767 3332
mer 31 ott 2018, 11.52.29, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540983149.5417484 5503
mer 31 ott 2018, 11.52.29, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540983149.5417484 5503
mer 31 ott 2018, 12.02.58, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540983149.5417484 5503
mer 31 ott 2018, 12.02.58, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540983149.5417484 5503
mer 31 ott 2018, 12.03.23, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540983803.5649403 5503
mer 31 ott 2018, 12.03.23, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540983803.5649403 5503
mer 31 ott 2018, 12.13.32, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540983803.5649403 5503
mer 31 ott 2018, 12.13.32, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540983803.5649403 5503
mer 31 ott 2018, 12.13.46, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540984426.5891079 3332
mer 31 ott 2018, 12.13.46, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540984426.5891079 3332
mer 31 ott 2018, 12.24.37, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540984426.5891079 3332
mer 31 ott 2018, 12.24.37, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540984426.5891079 3332
mer 31 ott 2018, 12.24.53, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540985093.6128510 5503
mer 31 ott 2018, 12.24.53, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540985093.6128510 5503
mer 31 ott 2018, 12.35.22, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540985093.6128510 5503
mer 31 ott 2018, 12.35.22, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540985093.6128510 5503
mer 31 ott 2018, 12.35.50, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540985750.6360742 5503
mer 31 ott 2018, 12.35.50, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540985750.6360742 5503
mer 31 ott 2018, 12.45.55, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540985750.6360742 5503
mer 31 ott 2018, 12.45.55, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540985750.6360742 5503
mer 31 ott 2018, 12.46.03, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540986363.6570067 3332
mer 31 ott 2018, 12.46.03, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540986363.6570067 3332
mer 31 ott 2018, 12.56.25, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540986363.6570067 3332
mer 31 ott 2018, 12.56.25, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540986363.6570067 3332
mer 31 ott 2018, 12.56.49, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540987009.6790531 5503
mer 31 ott 2018, 12.56.49, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540987009.6790531 5503
mer 31 ott 2018, 13.05.27, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540987009.6790531 5503
mer 31 ott 2018, 13.05.27, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540987009.6790531 5503
mer 31 ott 2018, 13.05.52, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540987552.6938842 3332
mer 31 ott 2018, 13.05.52, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540987552.6938842 3332
mer 31 ott 2018, 13.19.05, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540987552.6938842 3332
mer 31 ott 2018, 13.19.05, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540987552.6938842 3332
mer 31 ott 2018, 13.19.19, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540988359.7189435 3332
mer 31 ott 2018, 13.19.19, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540988359.7189435 3332
mer 31 ott 2018, 13.25.03, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540988359.7189435 3332
mer 31 ott 2018, 13.25.03, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540988359.7189435 3332
mer 31 ott 2018, 13.25.20, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540988720.7282686 3332
mer 31 ott 2018, 13.25.20, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540988720.7282686 3332
mer 31 ott 2018, 13.35.58, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540988720.7282686 3332
mer 31 ott 2018, 13.35.58, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540988720.7282686 3332
mer 31 ott 2018, 13.36.08, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540989368.7420899 5503
mer 31 ott 2018, 13.36.08, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540989368.7420899 5503
mer 31 ott 2018, 13.47.18, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540989368.7420899 5503
mer 31 ott 2018, 13.47.18, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540989368.7420899 5503
mer 31 ott 2018, 13.55.14, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540990514.7714017 3332
mer 31 ott 2018, 13.55.14, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540990514.7714017 3332
mer 31 ott 2018, 14.05.18, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540990514.7714017 3332
mer 31 ott 2018, 14.05.18, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540990514.7714017 3332
mer 31 ott 2018, 14.05.38, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540991138.7832686 5503
mer 31 ott 2018, 14.05.38, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540991138.7832686 5503
mer 31 ott 2018, 14.16.23, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540991138.7832686 5503
mer 31 ott 2018, 14.16.23, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540991138.7832686 5503
mer 31 ott 2018, 14.16.57, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540991817.7983932 5503
mer 31 ott 2018, 14.16.57, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540991817.7983932 5503
mer 31 ott 2018, 14.27.17, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540991817.7983932 5503
mer 31 ott 2018, 14.27.17, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540991817.7983932 5503
mer 31 ott 2018, 14.27.31, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540992451.8107356 5503
mer 31 ott 2018, 14.27.31, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540992451.8107356 5503
mer 31 ott 2018, 14.37.45, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540992451.8107356 5503
mer 31 ott 2018, 14.37.45, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540992451.8107356 5503
mer 31 ott 2018, 14.37.59, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540993080.8239796 3332
mer 31 ott 2018, 14.37.59, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540993080.8239796 3332
mer 31 ott 2018, 14.48.08, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540993080.8239796 3332
mer 31 ott 2018, 14.48.08, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540993080.8239796 3332
mer 31 ott 2018, 14.48.19, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540993699.8369020 5503
mer 31 ott 2018, 14.48.19, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540993699.8369020 5503
mer 31 ott 2018, 14.58.45, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540993699.8369020 5503
mer 31 ott 2018, 14.58.45, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540993699.8369020 5503
mer 31 ott 2018, 14.59.10, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540994350.8511168 5503
mer 31 ott 2018, 14.59.10, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540994350.8511168 5503
mer 31 ott 2018, 15.09.28, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540994350.8511168 5503
mer 31 ott 2018, 15.09.28, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540994350.8511168 5503
mer 31 ott 2018, 15.09.38, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540994978.8654896 5503
mer 31 ott 2018, 15.09.38, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540994978.8654896 5503
mer 31 ott 2018, 15.19.45, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540994978.8654896 5503
mer 31 ott 2018, 15.19.45, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540994978.8654896 5503
mer 31 ott 2018, 15.20.07, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540995607.8791144 5503
mer 31 ott 2018, 15.20.07, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540995607.8791144 5503
mer 31 ott 2018, 15.30.18, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540995607.8791144 5503
mer 31 ott 2018, 15.30.18, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540995607.8791144 5503
mer 31 ott 2018, 15.30.28, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540996228.8928132 5503
mer 31 ott 2018, 15.30.28, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540996228.8928132 5503
mer 31 ott 2018, 15.40.43, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540996228.8928132 5503
mer 31 ott 2018, 15.40.43, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540996228.8928132 5503
mer 31 ott 2018, 15.40.55, CET /var/ossec/active-response/bin/host-deny.sh
add - 127.127.127.127 1540996855.9104838 5503
mer 31 ott 2018, 15.40.55, CET
/var/ossec/active-response/bin/firewall-drop.sh add - 127.127.127.127
1540996855.9104838 5503
mer 31 ott 2018, 15.52.02, CET /var/ossec/active-response/bin/host-deny.sh
delete - 127.127.127.127 1540996855.9104838 5503
mer 31 ott 2018, 15.52.02, CET
/var/ossec/active-response/bin/firewall-drop.sh delete - 127.127.127.127
1540996855.9104838 5503
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.